It is little known that user namespaces and some helpers can be used to bypass negative permissions. Signed-off-by: Richard Weinberger <richard@xxxxxx> --- This patch applies to the acl software project. --- man/man5/acl.5 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/man/man5/acl.5 b/man/man5/acl.5 index 0db86b325617..2ed144742e37 100644 --- a/man/man5/acl.5 +++ b/man/man5/acl.5 @@ -495,5 +495,20 @@ These non-portable extensions are available on Linux systems. .Xr acl_from_mode 3 , .Xr acl_get_perm 3 , .Xr acl_to_any_text 3 +.Sh NOTES +.Ss Negative permissions and Linux user namespaces +While it is technically feasible to establish negative permissions through +ACLs, such an approach is widely regarded as a suboptimal practice. +Furthermore, the utilization of Linux user namespaces introduces the +potential to circumvent specific negative permissions. This issue stems +from the fact that privileged helpers, such as +.Xr newuidmap 1 , +enable unprivileged users to create user namespaces with subordinate user and +group IDs. As a consequence, users can drop group memberships, resulting +in a situation where negative permissions based on group membership no longer +apply. +For more details, please refer to the +.Xr user_namespaces 7 +documentation. .Sh AUTHOR Andreas Gruenbacher, <andreas.gruenbacher@xxxxxxxxx> -- 2.26.2
